- Making headers dynamic based on selected arguments so we don't have to constantly populate all of them - only the options we are actually using.

Author: joeavanzato

helpers/helpers.go

@@ -189,6 +189,28 @@ func DoesFileExist(filename string) bool {
 	return true
 }
 
+func GetHeaders(tempArgs map[string]any, headers []string) []string {
+	if !tempArgs["passthrough"].(bool) {
+		headers = append(headers, vars.GeoFields...)
+		if tempArgs["use_ti"].(bool) {
+			headers = append(headers, vars.ThreatFields...)
+		}
+		if tempArgs["use_dns"].(bool) {
+			headers = append(headers, vars.DNSFields...)
+		}
+		if tempArgs["use_whois"].(bool) {
+			if tempArgs["use_dns"].(bool) {
+				headers = append(headers, vars.WhoisDomainFields...)
+			}
+			headers = append(headers, vars.WhoisIPFields...)
+		}
+		if tempArgs["use_idb"].(bool) {
+			headers = append(headers, vars.IDBFields...)
+		}
+	}
+	return headers
+}
+
 func ListenOnWriteChannel(c chan []string, w *csv.Writer, logger zerolog.Logger, outputF *os.File, bufferSize int, wait *lbtypes.WaitGroupCount) {
 	// TODO - Consider having pool of routines appending records to slice [][]string and a single reader drawing from this to avoid any bottle-necks
 	// TODO - Consider sending writer in a goroutine with wait group, refilling buffer, etc.
@@ -376,8 +398,6 @@ func enrichRecord(logger zerolog.Logger, record []string, asnDB maxminddb.Reader
 		} else {
 			record = append(record, "none", "0", "none")
 		}
-	} else {
-		record = append(record, "NA", "NA", "0")
 	}
 
 	domain := ""
@@ -431,14 +451,14 @@ func enrichRecord(logger zerolog.Logger, record []string, asnDB maxminddb.Reader
 						logger.Error().Msg(setdnserr.Error())
 					}
 				}*/
-	} else {
-		record = append(record, "")
 	}
 	// For TLD
-	if domain == "." || domain == "" {
-		record = append(record, "none")
-	} else {
-		record = append(record, domain)
+	if tempArgs["use_dns"].(bool) {
+		if domain == "." || domain == "" {
+			record = append(record, "none")
+		} else {
+			record = append(record, domain)
+		}
 	}
 
 	// Removing for now as we can get TLD from live DNS if we are using that
@@ -460,22 +480,18 @@ func enrichRecord(logger zerolog.Logger, record []string, asnDB maxminddb.Reader
 	// Handling Domain WhoIS lookups if we are using DNS and have a parsed domain with tld for the IP in question
 	if tempArgs["use_whois"].(bool) && domain != "" && domain != "." {
 		record = append(record, DoDomainWhoisenrichment(domain)...)
-	} else {
+	} else if tempArgs["use_whois"].(bool) && tempArgs["use_dns"].(bool) {
 		// no whois used OR domain is invalid
 		record = append(record, "NA", "NA", "NA", "NA")
 	}
 
 	// Handling IP Whois lookups
 	if tempArgs["use_whois"].(bool) {
 		record = append(record, DoIPWhoisEnrichment(ipString)...)
-	} else {
-		record = append(record, "NA", "NA", "NA", "NA", "NA", "NA", "NA", "NA")
 	}
 
 	if tempArgs["use_idb"].(bool) {
 		record = append(record, DoIDBEnrichment(ipString)...)
-	} else {
-		record = append(record, "NA", "NA", "NA", "NA", "NA")
 	}
 
 	return record

main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"database/sql"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
@@ -56,6 +57,7 @@ func parseArgs(logger zerolog.Logger) (map[string]any, error) {
 	updategeo := flag.Bool("updategeo", false, "Update local MaxMind databases, even if they are detected.")
 	passthrough := flag.Bool("passthrough", false, "Skip all enrichment steps - only perform log conversion to CSV")
 	includedc := flag.Bool("includedc", false, "Include datacenter list for Threat Intelligence enrichment - will add approximately ~129 million IP addresses to the DB (~7 GB on disk)")
+	idb := flag.Bool("idb", false, "Perform a live enrichment using the Shodan InternetDB")
 	ip := flag.String("ip", "", "Provide an IP address for ad-hoc enrichment via stdout")
 	flag.Parse()
 
@@ -99,6 +101,7 @@ func parseArgs(logger zerolog.Logger) (map[string]any, error) {
 		"includedc":       *includedc,
 		"ip":              *ip,
 		"whois":           *whois,
+		"idb":             *idb,
 	}
 
 	if (*intelfile != "" && (*inteltype == "" || *intelname == "")) || ((*intelfile == "" || *intelname == "") && *inteltype != "") || ((*intelfile == "" || *inteltype == "") && *intelname != "") {
@@ -209,6 +212,10 @@ func enrichLogs(arguments map[string]any, logFiles []string, logger zerolog.Logg
 
 	tempArgs["passthrough"] = arguments["passthrough"].(bool)
 	tempArgs["use_whois"] = arguments["whois"].(bool)
+	tempArgs["use_idb"] = arguments["idb"].(bool)
+	tempArgs["use_dns"] = arguments["dns"].(bool)
+	tempArgs["passthrough"] = arguments["passthrough"].(bool)
+	tempArgs["use_ti"] = arguments["useti"].(bool)
 	//startDate, endDate := getDateBounds(tempArgs)
 
 	// TODO - Make this OS independent
@@ -454,9 +461,31 @@ func processFile(arguments map[string]any, inputFile string, outputFile string,
 	}
 }
 
+func test() {
+	ipaddress := "8.8.8.8"
+	resp, err := helpers.IDB_Http_Client.Get(fmt.Sprintf("https://internetdb.shodan.io/%s", ipaddress))
+	if err != nil {
+		fmt.Println("Error %s", err)
+	}
+	defer resp.Body.Close()
+	if err != nil {
+		fmt.Println("Error %s", err)
+	}
+	dec := json.NewDecoder(resp.Body)
+	dec.DisallowUnknownFields()
+	var p lbtypes.ShodanIDBResponse
+	err = dec.Decode(&p)
+	if err != nil {
+		fmt.Println("Error %s", err)
+		vars.IDBfastcache.Set([]byte(ipaddress), []byte("error"))
+	}
+	fmt.Println(p)
+}
+
 func main() {
 	// TODO - Refactor all path handling to use path.Join or similar for OS-transparency
-
+	//test()
+	//return
 	logger := helpers.SetupLogger()
 	arguments, err := parseArgs(logger)
 	if err != nil {
@@ -594,4 +623,8 @@ func main() {
 	if saveWhoisCacheErr != nil {
 		logger.Error().Msg(saveWhoisCacheErr.Error())
 	}
+	saveIDBCacheErr := vars.IDBfastcache.SaveToFile(vars.IDBCacheFile)
+	if saveIDBCacheErr != nil {
+		logger.Error().Msg(saveIDBCacheErr.Error())
+	}
 }

parsers/parse_cef.go

@@ -4,7 +4,6 @@ import (
 	"encoding/csv"
 	"github.com/joeavanzato/logboost/helpers"
 	"github.com/joeavanzato/logboost/lbtypes"
-	"github.com/joeavanzato/logboost/vars"
 	"github.com/oschwald/maxminddb-golang"
 	"github.com/rs/zerolog"
 	"io"
@@ -164,12 +163,7 @@ func ParseCEF(logger zerolog.Logger, inputFile string, outputFile string, fullPa
 	}
 	// TODO - Sort
 	//sort.Sort(sort.StringSlice(headers))
-	if !tempArgs["passthrough"].(bool) {
-		headers = append(headers, vars.GeoFields...)
-		if tempArgs["use_idb"].(bool) {
-			headers = append(headers, vars.IDBFields...)
-		}
-	}
+	headers = helpers.GetHeaders(tempArgs, headers)
 	outputF, err := helpers.CreateOutput(outputFile)
 	if err != nil {
 		return err

parsers/parse_clf.go

@@ -4,7 +4,6 @@ import (
 	"encoding/csv"
 	"github.com/joeavanzato/logboost/helpers"
 	"github.com/joeavanzato/logboost/lbtypes"
-	"github.com/joeavanzato/logboost/vars"
 	"github.com/oschwald/maxminddb-golang"
 	"github.com/rs/zerolog"
 	"io"
@@ -66,12 +65,8 @@ func ParseCLF(logger zerolog.Logger, inputFile string, outputFile string, asnDB
 		headers = append(headers, combinedHeaders...)
 	}
 
-	if !tempArgs["passthrough"].(bool) {
-		headers = append(headers, vars.GeoFields...)
-		if tempArgs["use_idb"].(bool) {
-			headers = append(headers, vars.IDBFields...)
-		}
-	}
+	headers = helpers.GetHeaders(tempArgs, headers)
+
 	outputF, err := helpers.CreateOutput(outputFile)
 	if err != nil {
 		return err

parsers/parse_csv.go

@@ -92,6 +92,18 @@ func ProcessCSV(logger zerolog.Logger, asnDB maxminddb.Reader, cityDB maxminddb.
 		logger.Error().Msgf("Error Processing File: %v", err.Error())
 		return
 	}
+	if tempArgs["use_ti"].(bool) {
+		headers = append(headers, vars.ThreatFields...)
+	}
+	if tempArgs["use_dns"].(bool) {
+		headers = append(headers, vars.DNSFields...)
+	}
+	if tempArgs["use_whois"].(bool) {
+		if tempArgs["use_dns"].(bool) {
+			headers = append(headers, vars.WhoisDomainFields...)
+		}
+		headers = append(headers, vars.WhoisIPFields...)
+	}
 	if tempArgs["use_idb"].(bool) {
 		headers = append(headers, vars.IDBFields...)
 	}

parsers/parse_iis_w3c.go

@@ -4,7 +4,6 @@ import (
 	"encoding/csv"
 	"github.com/joeavanzato/logboost/helpers"
 	"github.com/joeavanzato/logboost/lbtypes"
-	"github.com/joeavanzato/logboost/vars"
 	"github.com/oschwald/maxminddb-golang"
 	"github.com/rs/zerolog"
 	"io"
@@ -85,12 +84,7 @@ func ParseIISStyle(logger zerolog.Logger, asnDB maxminddb.Reader, cityDB maxmind
 		dateindex = helpers.FindTargetIndexInSlice(headers, arguments["datecol"].(string))
 	}
 
-	if !tempArgs["passthrough"].(bool) {
-		headers = append(headers, vars.GeoFields...)
-		if tempArgs["use_idb"].(bool) {
-			headers = append(headers, vars.IDBFields...)
-		}
-	}
+	headers = helpers.GetHeaders(tempArgs, headers)
 	err = writer.Write(headers)
 	if err != nil {
 		logger.Error().Msg(err.Error())

parsers/parse_json.go

@@ -92,12 +92,7 @@ func ParseJSON(logger zerolog.Logger, asnDB maxminddb.Reader, cityDB maxminddb.R
 
 	headers = append(headers, jsonkeys...)
 	//sort.Sort(sort.StringSlice(headers))
-	if !arguments["passthrough"].(bool) {
-		headers = append(headers, vars.GeoFields...)
-		if tempArgs["use_idb"].(bool) {
-			headers = append(headers, vars.IDBFields...)
-		}
-	}
+	headers = helpers.GetHeaders(tempArgs, headers)
 	err = writer.Write(headers)
 	if err != nil {
 		logger.Error().Msg(err.Error())

parsers/parse_json_multi.go

@@ -180,12 +180,7 @@ func ParseMultiLineJSON(logger zerolog.Logger, asnDB maxminddb.Reader, cityDB ma
 	// Sort JSONKeys alphabetically
 	//sort.Sort(sort.StringSlice(headers))
 
-	if !arguments["passthrough"].(bool) {
-		headers = append(headers, vars.GeoFields...)
-		if tempArgs["use_idb"].(bool) {
-			headers = append(headers, vars.IDBFields...)
-		}
-	}
+	headers = helpers.GetHeaders(tempArgs, headers)
 	err = writer.Write(headers)
 	if err != nil {
 		logger.Error().Msg(err.Error())

parsers/parse_kv.go

@@ -95,12 +95,7 @@ func ParseKV(logger zerolog.Logger, inputFile string, outputFile string, asnDB m
 	headers = append(headers, kvheaders...)
 	// TODO - Sort
 	//sort.Sort(sort.StringSlice(headers))
-	if !arguments["passthrough"].(bool) {
-		headers = append(headers, vars.GeoFields...)
-		if tempArgs["use_idb"].(bool) {
-			headers = append(headers, vars.IDBFields...)
-		}
-	}
+	headers = helpers.GetHeaders(tempArgs, headers)
 	err = writer.Write(headers)
 	if err != nil {
 		logger.Error().Msg(err.Error())

parsers/parse_raw.go

@@ -28,6 +28,18 @@ func ParseRaw(logger zerolog.Logger, asnDB maxminddb.Reader, cityDB maxminddb.Re
 	headers := make([]string, 0)
 	headers = append(headers, "line")
 	headers = append(headers, vars.GeoFields...)
+	if tempArgs["use_ti"].(bool) {
+		headers = append(headers, vars.ThreatFields...)
+	}
+	if tempArgs["use_dns"].(bool) {
+		headers = append(headers, vars.DNSFields...)
+	}
+	if tempArgs["use_whois"].(bool) {
+		if tempArgs["use_dns"].(bool) {
+			headers = append(headers, vars.WhoisDomainFields...)
+		}
+		headers = append(headers, vars.WhoisIPFields...)
+	}
 	if tempArgs["use_idb"].(bool) {
 		headers = append(headers, vars.IDBFields...)
 	}